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Outline 



- Two separate prototypes - FLYING PIG and HUSH 
PUPPY 

- Both are cloud analytics which work on bulk unselected 
data 

- FLYING PIG is a knowledge base for investigating TLS/ 
SSL traffic 

- HUSH PUPPY is a tool for attributing private network 
traffic 
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FLYING PIG - TLS/SSL Background 

- TLS/SSL (Transport Layer Security / Secure Sockets Layer) 
provides encrypted communication over the internet 

- Simple TLS/SSL handshake: 



Client 



Server 



It! T R ''tf 5 ' 00 



Client hello 

Server hello 

Certificate 

Server hello done 
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Motivations for FLYING PIG 



More and more services used by GCHQ targets are moving to TLS/SSL to 
increase user confidence, e.g. Hotmail, Yahoo, Gmail, etc. 



Terrorists and cyber criminals are common users of TLS/SSL to hide their 
comms (not necessarily using the big providers). 



A TLS/SSL knowledge base could provide a means to extract as much 
information from the unencrypted traffic as possible. 
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FLYING PIG implementation 



• Federated QFD approach 

- Multiple separate cloud analytics, each of which produce a QFD (Query 
Focussed Dataset). 

- Analytics are run once a week, on approximately 20 billion events. 

- A single query in the web interface results in calls to multiple QFDs, 
which are returned to the user in separate panels. 

- Results in: 

(a) fast queries, 

(b) easy-to-maintain modular code, and importantly 

(c) easy to add future TLS/SSL QFDs. 
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Query by certificate metadata 



FLYING PIG 

TLS/SSL Knowledge Base 

HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD 



Prototype owner:! 



Query FLYING PIG 

IP / network / certificate field %mail.jw 
Query as: Q Client IP Q Server IP Q Both 
or: O Network [e.g. 1.2.3.0/24] 

or: (§< Server Certificate [e.g. %example.com (use % for wildcards)] 
Run Query! 



Server certificate fields to search within: 

Subject common name 0 
Subject organisation name [ 

Issuer common name 0 
Issuer organisation name i 
RSA modulus □ 



[Certificate field search: Afrmail.rul O 
All HTTP requests matching your query ( ? ) 



H 



1 - 5 of 500 items 




10 I 25 I 50 | 100 






1 2 


5 6 7 ► h i 


Server IP 


Host name 




First seen 


Last seen 


Count w/e 
25th Nov 


Count all time 


184.105 


swa.mail.ru 




2011-10-13 16:05:53.0 


2011-11-25 21:11:59.0 


6085663 


42640739 


184.104 


swa.mail.ru 




2011-10-13 17:29:18.0 


2011-11-25 21:11:55.0 


6073183 


36825411 


134.201 


fc.ef.d4.cf.bd.al.top.mail.ru 




2011-10-13 21:43:10.0 


2011-11-25 21:10:49.0 


4049743 


19360920 


135.13 


top5.mail.ru 




2011-10-14 20:00:00.0 


2011-11-25 21:12:05.0 


3006868 


14168963 


135.12 


top3.mail.ru 




2011-10-14 20:00:00.0 


2011-11-25 21:10:48.0 


2480950 


12386999 





Server IPs (? ): 




Tip 1: Right click on a server IP to 
explore it further! 




1 - 25 of 500 
items 


h i 
5 6 


12 3 

7 ► N 




Server IP 


Cert 


Cert 


►i ♦ 

Self 

signe 






count 

w/e 

25th 

Nov 


count all 
time 






1 O* 1 * 




OQCPi ->P 






i Explore this server IP further! 


N 




177.1 


333592 


1052618 


N 




191.213 


330212 


1388617 




184.16 


308599 


2496916 


N 




184.17 


297282 


2226133 






184.15 


294437 


2395012 


N 




189.160 


168414 


659037 






184.77 


120533 


560336 


Y 




184.74 


113555 


515169 


N 




184.75 


112574 


538512 




184.76 


110325 


690098 


N 




135.55 


3779 


6023 




135.56 


3740 


7358 


N 




134,151 


3564 


8498 




63.121 


2532 


4887 


Y 




136.43 


2523 


9226 






134.98 


2360 


9165 


N 




179.89 


2227 


7600 






179.90 


2051 


7320 






136.84 


1981 


8442 



All certificates matching your query ( ? ) 



Tip 1: Right click on a row to find all server IPs that serve that certificate! 

Tip 2: Click on the disk icon in the title bar to download data in CSV format! 

Tip 3: Double-dick on a field to enable copy and paste! 

Tip 4: Change displayed columns ('Basic' is default; 'Advanced' adds RSA Modulus and cipher suite distribution columns): Basic columns Advanced columns 



1 - 10 of 70 items 



Full First seen 

Certificate 



308203CD3082I20 11-09-22 
13:17:32 

3082036 13082C 20 11-09-22 
14:05:50 

308203D330821 20 11-10-07 
20:29:55 

3082035 13082C 20 11-09-23 
17:01:58 

308202C830821 20 11-08-22 
08:14:21 

308204383082C 20 11-10-17 
14:09:52 

308203C430821 20 11-10-08 
00:05:24 

308204153082C 20 11-1 1-01 
07:36:53 

308202E43082C 20 11-10-14 
18:20:34 

308204153082C 20 11-10-31 
14:14:12 



10 | 25 | 50 | 100 



Count 

w/e 

25th 

Nov 



Count all Valid from 
time 



2011-11-25 

19:01:59 

2011-11-25 

18:58:32 

2011-11-25 

18:53:40 

2011-11-25 

15:40:05 

2011-09-06 

06:15:36 

2011-11-25 

18:50:10 

2011-11-25 

17:04:02 

2011-11-25 

14:26:29 

2011 - 11-21 

05:13:34 

2011-11-25 

15:45:50 



2952729 16638958 2011-01-31 

00:00:00 

249926 1085232 2010-01-21 

00:00:00 

10059 30520 2011-09-25 

00:00:00 

976 8517 2010-01-25 

15:42:05 

0 1482 2011-03-04 

06:42:12 

22 1236 2011-05-27 

00:00:00 

301 1150 2010-02-13 

14:19:06 

246 693 2011-09-15 

11:47:51 

201 306 2011-10-05 

08:07:34 

99 259 2011-09-15 

11:47:51 



Valid to 



2012- 03-27 
23:59:59 
2011 - 02-20 
23:59:59 

2013- 11-23 
23:59:59 
2012-01-27 
18:12:59 
2012-03-03 
06:42:12 
2012-07-25 
23:59:59 
2012-11-08 
14:19:06 
2012-09-14 
11:47:51 

2014- 10-04 
08:07:34 
2012-09-14 
11:47:51 



Subject common 
name 



*. mail.ru 

*. mail.ru 

* .money.mail.ru 

mail.ru .is 

mail.ru-sib.ru 

mail.ru-com.ru 

mxl.shogo-mail.ru 

limgs.mail.ru 

moder.foto.mail.ru 

auth.mail.ru 



Subject Subject org Issuer common 
country name name 



1 2 : 



Issuer Issuer org 
country name 



is 

us 

ru 

ru 

ru 



lie mail.ru 
lie mail.ru 
lie mail.ru 
mail.ru.is 



thawte ssl ca 

thawte premium 
server ca 
thawte ssl ca 



mail.ru-sib.ru 

mail.ru-com.ru thawte dv ssl ca 
shogo shogo.ru 

isp.cegedim.fr 

mail.ru moder.foto.mail.ru 

isp.cegedim.fr 



thawte, inc. 

thawte 
consulting cc 
thawte, inc. 

equifax 



thawte, inc. 

shogo 

cegedim 

mail.ru 

cegedim 



Own 
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Query by server IP 



4k 



FLYING PIG 

TLS/SSL Knowledge Base 

HRA Justification Query FLYING PIG - general SSL toolkit 

Query FLYING PIG 

IP / network / certificate fiel 184.14 

Query as: O Client IP (• Server IP Q Both 
or: O Network [e.g. 1.2.3.0/24] 

or: O Server Certificate [e.g. %example.com (use % for wildcards)] 
Run Query! 

[Certificate field search: %mail.rul Iserver I 



Query QUICK ANT - Tor events QFD 



Prototype owner| 



General IP info 0 

Top 10 SSL client geos 0 

Top 10 SSL server ports 0 

Top 10 SSL case notations ✓ 

SSL Traffic stats 0 



Server IP-specific panels 



SSL Server certificates seen on this IP0 
SSL Pattern of life 0 

HTTP requests to this IP 0 

Top 100 SSL clients 0 



184.141 O 



General IP info for server IP 



184.14 



Geolocation ( ? ): WHOIS info ( ? ): 

Country: RU (M) Network: 76.0/20. Network type: No results. 

City: MOSCOW (L) Company: Mail.Ru. Domain: mail.ru. 



AS info ( ? ): DNS ( ? ): 

Advertised by AS: 47764. Found within network: No results 

76.0/20. 

AS name: MAILRU-AS Limited liability company Mail.Ru. 



Tor node ( ? ): 

No matches 



Top 10 SSL client geos (?) 



Top 10 SSL server ports (?) 



Top 10 SSL case notations (?) 



SSL Traffic stats ( ? ): 



Overall 





For week ending 2011-12-23: 

No. unique clients = 104317. 

% client-server IPs with traffic seen in both directions « 




Unique clients with client-server ^Unique clients with server-client B Unique clients with 
traffic only traffic only bidirectional traffic 



SSL Certificates seen on this IP ( ? ) 



Tip 1: Right click on a certificate to explore it further! 
1 - 3 of 3 items 



First seen on this IP 

2011-09-22 13:31:06 
2011-08-08 12:23:45 
2011-11-16 14:13:03 



Last seen on this IP 

2011-11-25 19:01:47 
2011-11-25 07:50:07 
2011-11-16 14:13:03 



Count w/e 25th 
Nov 

357643 
1441 
0 



10 | 25 I 50 I 100 

Count all time Valid from 



2359179 
1447304 
1 



Average pattern of life for a client (seeded around SSL events to this server IP) ( ? ) 


Tip 1: Filter by min. % occurrences of event:^ 


Apply filtering 




1 - 8 of 233 items 10 | 25 | 50 | 100 


1 


2 3 4 5 


6 7 ► M ♦ 


Correlated event 


Event IP 


Event 


Percentage 






port 


occurrences 








of event 


GET request to top3.mail.ru 


L35.12 


80 


28 1 


GET request to top5.mail.ru 


L35.13 


80 


15.1 


GET request to d0.cl.bf.al.top.mail.ru 


L34.253 


80 


14.2 


GFT renuesf tn mv.mRil.ru 


IR4.40 


Rfl 


13? 



2011-01-31 00:00:00 
2011-01-31 00:00:00 
2011-08-05 18:34:19 



Valid to 

2012-03-27 23:59:59 
2012-03-27 23:59:59 
2014-08-05 18:34:19 



Subject common name 



*. mail.ru 
*. mail.ru 
*. vkontakte.ru 



Issuer common name 

thawte ssl ca 
thawte ssl ca 

go daddy secure certification authority 



HTTP requests to this IP (top 100) ( V ) 



Tip 1: Right click on a server IP to explore it as an SSL server! 

1 - 10 of 226 items 10 I 25 I 50 I 100 



Host name requested 



First seen Last seen 



L84.14 

184.14 

184.14 

L84.14 

IQd U 



e. mail.ru 
rn.mail.ru 

184.14 

auth.mail.ru 

hoi m ail n i 



2011-10-14 
2011-10-14 
2011-10-14 
2011-10-14 
oni i _i n_i a. 



2011-11-25 

2011-11-25 

2011-11-25 

2011-11-25 

oni i _i i 



Count last 
week 

1989215 

89268 

17426 

11738 

QOOd 



4 5 6 7 ► M 

Count all time 

13992636 

664189 

108536 

70020 

arrao 



H 



T R 
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Query by server IP 



FLYING PIG 

TLS/SSL Knowledge Base 



HRA Justification Query FLYING PIG - general SSL toolkit Query QUICK ANT - Tor events QFD 

Query FLYING PIG 

IP / network / certificate fiel L84.14 

Query as: (§> Client IP Q Server IP O Both 
or: C 1 Network [e.g. 1.2.3.0/24] 

or: O Server Certificate [e.g. <yoexample.com (use % for wildcards)] 

Run Query! 



Prototype owner:! 



Server IP-specific panels 




General IP info 


✓ SSL Server certificates seen on this IP ✓ 


Top 10 SSL client geos 


0 SSL Pattern of life 


0 


Top 10 SSL server ports 


0 HTTP requests to this IP 


* 


Top 10 SSL case notations 


0 Top 100 SSL clients 


* 


SSL Traffic stats 


0 





O 



Gbi requesttotopu.maii.ru 




135.12 


8U 


28.1 


184.14 


rn.mail.ru 


2011-10-14 


2011-11-25 


89268 


664189 


GET request to top5.mail.ru 




135.13 


80 


15.1 


184.14 


94.100.184.14 


2011-10-14 


2011-11-25 


17426 


108536 


GET request to d0.cl.bf.al.top.mail.ru 




134.253 


80 


14.2 


184.14 


auth.mail.ru 


2011-10-14 


2011-11-25 


11738 


70020 


GET request to my.mail.ru 




184.40 


80 


13.2 


184.14 


tel.mail.ru 


2011-10-14 


2011-11-25 


8994 


65540 


GET request to my.mail.ru 




184.41 


80 


12.9 


184.14 


e. 


2011-10-15 


2011-11-25 


307 


616 


GET request to stat.my.mail.ru 




184.40 


80 


10.8 


184.14 


e.mai 


2011-10-14 


2011-11-25 


155 


1101 


GET request to stat.my.mail.ru 




184.41 


80 


10.5 


184.14 


e.mail. 


2011-10-14 


2011-11-25 


119 


705 


GET request to mrimrakerl.mail.ru 




189.183 


80 


10.4 


184.14 


mail.ru 


2011-10-24 


2011-11-23 


110 


367 




184.14 


e.m 


2011-10-15 


2011-11-25 


107 


400 



E 



Top 100 SSL clients of serve 



L84.14 ( : ) 



Tip 1: Filter by country of client IP (e.g. enter nothing to avoid filtering or PK,IR,IQ to filter by multiple countries): GB,US,CA,NZ,AU 
OOnly show clients in these countries (•■Remove clients in these countries 
0 Remove clients that also act as servers 
Number of results returned: 100 
Filter! RESET 

Tip 2: Right click on a client or server IP to explore it further! 

1 - 20 of 100 items 

Client IP 




Client 

country 

(conf) 


Client company 


10 | 25 | 50 | 100 

First seen 


Last seen 


Count w/e 25th 
Nov 


Count all time 


Pairing status w/e 25th 
Nov 


1 2 

Pairing status all time 


ES(V) 


Telefonica_de_Espana_SAUj rima-tde .net 


2011-10-16 


2011-11-19 


1415 


50136 


Server -> Client only 


Both directions 


ES(H) 


R_Cable_y_Telecomunicaciones_Galicia_S.A.jmundo-r. 201 1-10-24 


2011-11-25 


424 


726 


Client -> Server only 


Client -> Server only 


DE(V) 


Bertelsmann_ZI_GmbH; mediaways.net 


2011-11-23 


2011-11-23 


417 


417 


Server -> Client only 


Server -> Client only 


NO(V) 


Telenor_Nextel_AS;telenor.net 


2011-11-21 


2011-11-24 


403 


403 


Server -> Client only 


Server -> Client only 


IE(V) 


Vodafone_ISP;UNKNOWN 


2011-11-23 


2011-11-23 


330 


330 


Both directions 


Both directions 


DE(V) 


Bertelsmann_ZI_GmbH; mediaways.net 


2011-11-23 


2011-11-23 


329 


329 


Server -> Client only 


Server -> Client only 




Explore this client IP further! 


" J 2011-ll-18 


2011-11-18 


296 


296 


Both directions 


Both directions 


EC(H) 


Ecuadortelecom_SA.;ecutel.net.ec 


2011-11-10 


2011-11-25 


290 


291 


Both directions 


Both directions 


IE(V) 


Vodafone_ISP; UNKNOWN 


2011-11-20 


2011-11-20 


196 


196 


Both directions 


Both directions 


MY(H) 


TMNETjholcim.net 


2011-09-03 


2011-11-24 


189 


383 


Both directions 


Both directions 


KR(M) 


QRIXNETj UNKNOWN 


2011-10-20 


2011-11-25 


181 


198 


Both directions 


Both directions 


MY(H) 


C O RE_I P_D EVE LO P M E NT ;dancom.com.my 


2011-11-19 


2011-11-25 


179 


179 


Both directions 


Both directions 


IR(V) 


Static-Pool-TP3 j pol .ir 


2011-11-21 


2011-11-21 


177 


177 


Client -> Server only 


Client -> Server only 


IE(V) 


UTV_P LC ; utv i nte rn et . n et 


2011-11-19 


2011-11-20 


167 


167 


Both directions 


Both directions 


KR(M) 


KRNIC;ktcu.or.kr 


2011-09-03 


2011-11-25 


150 


1007 


Both directions 


Both directions 


BR(M) 


Comite_Gestor_da_Internet_no_Brasiljampemet.com 2011-11-23 


2011-11-25 


145 


145 


Server -> Client only 


Server -> Client only 


KR(H) 


Korea_Telecom; postman. co. kr 


2011-10-16 


2011-11-25 


143 


161 


Both directions 


Both directions 


KR(H) 


Korea_Telecomjkornet.net 


2011-10-24 


2011-11-24 


138 


583 


Both directions 


Both directions 


IE(V) 


Vodafone_ISPj UNKNOWN 


2011-11-18 


2011-11-18 


137 


158 


Client -> Server only 


Both directions 






TR "“ n "^ 



TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL 

This INFORMATION IS EXEMPT UNDER THE FREEDOM OF iNFORMATIO^C^OO^FOIA^N^A^^XEMgMJNOE^THE^JI^NFORMATION LEGISLATION. 

Refer any queries to 

Contains Intellectual 

The material may be disseminated throughout the recipient organisation, but GCHQ permission must be obtained for dissemination outside the organisation. 



^ ^ ^ 
^GCHQ^ 





TOP SECRET//SI//REL TO USA, AUS, CAN, GBR, NZL 



Query by client IP 



FLYING PIG 

TLS/SSL Knowledge Base 

HRA Justification Query FLYING PIG - general SSL toolkit 
Query FLYING PIG 
IP / network / certificate field 
Query as: 



4k 



.127 



Client IP O Server IP Q Both 
or: C Network [e.g. 1.2.3.0/24] 

or: O Server Certificate [e.g. %example.com (use % for wildcards)] 
Run Query! 



Query QUICK ANT - Tor events QFD 

Client IP-specific panels 

General IP info [✓] 

SSL Servers visited 0 



Prototype owner! 



ICertificate field search: %mail.rul IServer IP: 184.141 Iclient IP: 


1 .1271 © 






General IP info for client IP .127 








Geolocation ( ? ): WHOIS info ( ? ): 

Country: KR (M) Network: ■■^^^^■.0/20. Network type: No results. 

City: SEOUL (L) Company: Korea Telecom. Domain: groupon.kr. 


AS info ( ? ): 

Advertised by AS: 4766. Found within network: 
AS name: KIXS-AS-KR Korea Telecom. 


DNS ( ? ): 
.0.0/13. No results 


Tor node ( ? ): 


Top 100 SSL servers visited by .127 ( ? ): 









Only show servers in these countries Remove servers in these countries RESET 



Tip 2: Right click on a client or server IP to explore it further! 
1 - 8 of 8 items 



Client IP 




184.14 
184.17 
184.16 

184.15 



Server 

country 

(conf) 

RU(M) 

RU(M) 

RU(M) 

RU(M) 



10 | 25 | 50 | 100 

Server company info (from GEOFUSION export) 



First seen 



Count w/e 25th Count all time 
Nov 



Mail.Ru;mail.ru 

Mail.Ru;mail.ru 

Mail.Rujmail.ru 

Mail.Ru;mail.ru 



04-09-11 02:23:55 
04-09-11 02:13:48 
03-09-11 05:18:48 
03-09-11 03:20:27 



25-11-11 13:47:52 
25-11-11 13:23:36 
25-11-11 10:15:23 
25-11-11 11:49:27 



325 

299 

269 

213 



.131.207 PE(M) BBBK91667jrapids Kai 



213.87 NL(L) Mozilla_Corporatid 

181.127 RU(M) Mail.Rujmail.ru 

191.213 RU(M) Mail.Rujmail.ru 



Explore this server IP further! 



14-11-11 02:39:15 14-11-11 02:39:15 



09-10-11 05:07:48 06-11-11 22:38:50 0 

16-10-1119:05:16 13-11-1121:31:31 0 

24-10-11 17:53:21 24-10-11 17:53:21 0 



2266 

2207 

2240 

2354 

D 

8 

13 

1 



Pairing status w/e 
25th Nov 

Both directions 
Both directions 
Both directions 
Both directions 



No traffic w/e 25th Nov 



No traffic w/e 25th Nov 
No traffic w/e 25th Nov 
No traffic w/e 25th Nov 



Pairing status all time 



Both directions 
Both directions 
Both directions 
Both directions 

Server -> Client only 
Client -> Server only 
Client -> Server only 



^ porn X R 
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Query by network range 



FLYING PIG 

TLS/SSL Knowledge Base 

HRA Justification Query FLYING PIG - general SSL toolkit 
Query FLYING PIG 
IP / network / certificate field 



.0/24 



Query as: O Client IP O Server IP Q Both 
or: (§ Network [e.g. 1.2.3.0/24] 

or: O Server Certificate [e.g. %example.com (use % for wildcards)] 
Run Query! 



Query quick ANT - Tor events QFD 

Network-specific panels 

General network info 
SSL Clients present in network 
SSL Servers present in network 
HTTP requests to IPs in network 



Prototype owner:l 






[Certificate field search: %mail.rul Q [Server IP: 



184.14] O IClient IP: 



.1271 © IN et work: - 



.0/241 Q 



General network info for 


.0/24 






Geolocation ( ? ): 


WHOIS info ( ?): 


AS info ( ? ): 


DNS (?): 


Country: KR (M) 
City: SEOUL (L) 


Network: No results. Network type: No results. 
Company: No results. Domain: No results. 


Advertised by AS: No results. Found within network: No results. 
AS name: No results. 


No results 


SSL clients in network 


.0/24: ( ): 







Tip 1: Right click on a client IP to explore it further! 
1 - 20 of 57 items 

Client IP 



10 | 25 | 50 | 100 





Client company info (from GEOFUSION export) 


First seen 


Last seen 


Total SSL traffic w/e 
25th Nov 


Total SSL traffic all 
time 


Num. unique servers 
contacted w/e 25th 
Nov 


.9 


Korea_Telecom;mailplug.co.kr 


2011-09-04 


2011-09-04 


0 


1 


0 


.23 


Korea_Telecom;mailplug.co.kr 


2011-10-26 


2011-11-23 


1 


7 


1 




Korea_Tele corn 7 "*“"“ 777 7 "““1 


2011-10-22 






0 


.32 




2011-11-16 


2011-11-18 


1 


2 


1 


.36 


Korea_Telecom;mailplug.co.kr 


2011-11-19 


2011-11-22 


7 


7 


1 


.38 


Korea_Telecom;mailplug.co.kr 


2011-10-14 


2011-11-16 


0 


21 


0 


.41 


Korea_Telecom;mailplug.co.kr 


2011-10-24 


2011-10-26 


0 


2 


0 


.42 


Korea_Telecom;mailplug.co.kr 


2011-10-21 


2011-10-21 


0 


1 


0 


.57 


Korea_Telecom;mailplug.co.kr 


2011-11-09 


2011-11-11 


0 


3 


0 


.62 


Korea_Telecom;mailplug.co.kr 


2011-09-09 


2011-09-09 


0 


1 


0 


.64 


Korea_Telecom;mailplug.co.kr 


2011-10-12 


2011-10-12 


0 


1 


0 


.70 


Korea_Telecom;mailplug.co.kr 


2011-10-08 


2011-10-31 


0 


18 


0 


.76 


Korea_Telecom;mailplug.co.kr 


2011-10-14 


2011-11-07 


0 


14 


0 


.82 


Korea_Telecom;mailplug.co.kr 


2011-11-15 


2011-11-15 


0 


2 


0 


.86 


Korea_Telecom;mailplug.co.kr 


2011-11-18 


2011-11-18 


1 


1 


1 


.87 


Korea_Telecom;mailplug.co.kr 


2011-11-12 


2011-11-12 


0 


1 


0 


.93 


Korea_Telecom;mailplug.co.kr 


2011-11-04 


2011-11-04 


0 


2 


0 


.99 


Korea_Telecom;mailplug.co.kr 


2011-10-25 


2011-11-21 


3 


12 


2 


.103 


Korea_Telecom;mailplug.co.kr 


2011-09-05 


2011-09-05 


0 


1 


0 


.105 


Korea_Telecom;mailplug.co.kr 


2011-11-03 


2011-11-03 


0 


1 


0 



1 2 

Num. unique servers 
contacted all time 

1 

3 

2 
1 
5 
2 
1 
2 
1 
1 
5 
1 
1 
1 
1 
1 
5 
1 
1 



I SSL servers in network 



•0/24: ( ) 



HTTP requests to IPs in network 



.0/24 (top 100) (? ) 



Tip 1: Right click on a server IP to explore it further! 



1 - 3 of 3 items 



10 | 25 | 50 | 1C 



Tip 1: Right dick on a server IP to explore it as an SSL server! 
1 - 1 of 1 items 10 I 25 I 5C 



Server company info (from 
GEOFUSION export) 



Korea_Telecom;mailplug.co.kr 

test 



Last week 
seen: 



2011 - 11-11 

2011-12-09 



°/o Paired Num. 
clients that unique 
week 

week 

1 
1 



0.0 

0.0 



Num. 
unique 
clients that clients all 
time 

1 
1 



Server IP Host name requested 

.40 



100 

First seen Last seen Count last 
week 

2011-10-30 2011-10-30 0 



Count all time 



JR ^j^oo 
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Cyber applications 



• Diginotar certificate 
authority compromise : 

- Private keys of legitimate certificate 
authority, Diginotar, stolen by 
hacker. 

- FLYING PIG was used to identify a 
FIS using them to launch a MITM 
against their own citizens. 



How the attack was done: 




FLYING PIG screenshot showing fake certificate: 



3082043030820392011-09-16 

20:54:29 


2011-10-20 

17:14:05 


0 


3154 


2011-09-05 

06:05:49 


2012-09-05 

06:15:49 


*. google.com 


us 


google inc 


zscaler us 


www.zscaler.comY 


3082052A3082049 2011-10-11 
16:56:45 


2011-11-25 

15:41:29 


5 


1214 


2011-09-20 

06:07:12 


2012-09-20 

06:17:12 


*. google.com 






google internet authority 


N 


30820452308203B 2011-11-11 
02:30:27 


2011-11-25 

06:20:50 


26 


572 


2011-11-02 

21:08:36 


2012-11-02 

21:18:36 


*. google.com 


us 


google inc 


zscaler us 


www.zscaler.comY 


308202DA3082024 20 11-1 1-01 
01:23:06 


2011-11-25 

17:48:58 


71 


547 


2010-09-02 

07:56:28 


2011-09-02 

08:06:28 


*. google.com 


us 


google inc 


sfibluecoat.sficorp.com us 


is N 


3082043030820392011-08-25 

13:03:12 


2011-10-13 

07:51:24 


0 


467 


2011-08-12 

03:49:02 


2012-08-12 

03:59:02 


*. google.com 


us 


google inc 


zscaler us 


www.zscaler.comY 


30820528308204112011-08-19 

121:04:42 


2011-08-26 

19:51:50 


0 


441 


2011-07-10 

19:06:30 


2013-07-09 

19:06:30 


*. google.com 


us 


google inc 


diginotar public ca 2025 nl 


diginotar N 


308204AA3082039 2011-11-08 
09:35:22 


2011-11-25 

15:00:37 


173 


440 


2011-09-20 

06:07:12 


2012-09-20 

06:17:12 


*, google.com 


us 


google inc 


lorealinternetbrowsing fr 


loreal N 


30820464308203C20 11-11-17 


2011-11-25 


436 


438 


2011-11-10 


2012-11-10 


*. google.com 


us 


google inc 


zscaler us 


www.zscaler.comY 
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Cyber applications 



• Other Cyber applications: 

- Multiple examples of FIS data exfiltration using SSL have been found using 
FLYING PIG. 

- In particular, certificates related to LEGION JADE, LEGION RUBY, and 
MAKERSMARK activity were found on FLYING PIG using known signatures 

- These were then used to find previously unknown servers involved in 
exfiltration from US companies. 

- FLYING PIG has also been used to identify events involving a mail server used 
by Russian Intelligence. 
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Identification of malicious TLS/SSL 



• Can identify malicious TLS/SSL using signatures if known 

• However this approach generally does not allow discovery of new threats 

• Alternative is to use “behavioural” features to automatically identify potentially 
malicious traffic 

• Features currently being investigated include: 

- Certificates with same subject but different issuers - may be indicative of 
Diginotar-style attack 

- Beaconing in TLS/SSL (indicative of botnets/FIS implants) 

- Number of client cipher suites offered 

- Repeated identical random challenges 
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HUSH PUPPY -motivation 



• Much private network traffic seen but previously discarded 



• If traffic could be attributed, potential high value - close access 

• HUSH PUPPY is a bulk private network identification Cloud analytic 

• Basic idea is to look for the same TDI being seen coming from a 
private address and then from a public address within a short time 

• The private traffic can then be attributed to the owner of the public 
address 

• Works for SSE & COMSAT 
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HUSH PUPPY -example 






NAT or 
proxy 



&'■ j 
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Other HUSH PUPPY datasets 



• HUSH PUPPY also makes use of Yahoo T-cookies to do correlations 

• A T-cookie contains the IP address of the client as Yahoo sees it 

• Hence a T cookie coming from a private IP can give the public IP of the 
NAT or proxy 

• In addition, HUSH PUPPY uses the following data to help verify results 

• Kerberos & Lotus Notes: Domains, organisations, departments, countries, 
machine names, user names 

• HTTP: Heuristic detection of Intranet web servers 

• SSL: Issuers, subjects, countries 

• SMTP: From & to domains 
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Results - what do we find? 



Foreign government networks 
Airlines 

Energy companies 
Financial organisations 

In cases of good collection, 50-80% of collected private network 
traffic has been attributed 

Some false positives can arise if few events correlated, due to factors 
such as TDIs not being completely unique and public internet proxies 
giving misleading public IP results 

Results can frequently be verified using Kerberos etc data 
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Examples of operational successes 



• A large private network related to the Afghan government was 
identified, with -800,000 events correlated. 

• Examination of the case notations suggested it belonged to the 
Afghan MOD 

- A Kerberos domain mod. local 

- HTTP servers *.mod. local & mail 

- SSL certificates with the subject “Ministry of Defense” and the geo “AF” 

• Results confirmed by analysis of content on XKEYSCORE 



• A VSAT private network belonging to a Ministry of Foreign Affairs 
was identified 

• NOSEY PARKER events were correlated with SSE 
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Contacts 



• FLYING PIG -| 

• HUSH PUPPY- 
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